[dan_rock_wilson]

Deno: has a basic permission model that is very helpful, written in Rust, and native TypeScript support.

I'm not deep in the webdev / node / Bun ecosystems, I've just been a happy user of Deno for small services for several years. Can someone explain why it sounds like there's such rapid growth of Bun? Is it just being used as a bundler, but not as JS runtime?

Just the permission system alone (though I wish it extended to modules) is so compelling with Deno that I'm perplexed at why someone would transition from node to bun and not node to Deno.

[vmg12]

Deno and Bun had very different focuses when they launched. Deno was trying to fix a lot of what Ryan (the original creator of Node) thought was wrong with Node. Bun focused on compatibility with Node and the ability to run popular frameworks like Nextjs from the beginning.

A lot of dependencies and frameworks simply did not work with Deno for a long time. In the beginning it didn't even have the ability to install dependencies from npm. (In hindsight with all the npm supply chain attacks Ryan was probably right about all of these things).

So Bun was a better Node with a lot of very nice quality of life features that just worked and it required much less configuration.

I think the Deno team kind of realized they needed to have compatibility with Node to succeed and that has been their focus for the past couple years.

Edit: And Deno is now more compatible with node than bun.

[gslepak]

> In hindsight with all the npm supply chain attacks Ryan was probably right about all of these things

"Probably"? Are you saying there's a chance he wasn't right?

I really think Ryan deserves a lot more credit than a "probably". He put in a lot of effort to do the right thing and improve the security of the entire ecosystem he created.

[MrJohz]

I think the biggest issue with Deno is that it fixes real issues but in the wrong way.

Take the sandboxing stuff. In theory, you have always been able to sandbox your applications. There are so many tools that let you limit what domains an application can access or restrict access to the file system. This doesn't need to be handled at the language/runtime level. It's just that people were lazy before, and they will continue to be lazy afterwards by running Deno applications with fewer than the minimum set of restrictions because that's easier.

The more complete way of solving the problem would have been capabilities. Rather than sandboxing the whole application, you instead sandbox each individual function. By default a function can make no requests, access no files, execute nothing, etc. But while the application is running, you can pass individual functions a token that grants them limited access to the filesystem, say. This means that trusted code is free to do what is necessary, but untrusted code can be very severely limited. It also significantly reduces what dependencies can do: if you're using something like `lodash` which provides random utilities for iterating over object keys and the like, and suddenly it starts asking for access to the web, then clearly something is wrong, and the runtime can essentially make that impossible.

It's also great for things like build scripts, which are a common attack vector right now. If your runtime enforces that the build script only has access to the files in the project folder, and can't access arbitrary files or run arbitrary commands, then you're in a much safer position than if your build script can do basically anything.

This concept has been explored before, but JavaScript is basically ready-made for it. The language already has everything you need — a runtime that also acts as a sandbox, unforgeable tokens (e.g. `Symbol` or `#private` variables), etc — and you can design an API that makes it easy to use capabilities in a way that enforces the principle of least privilege. The biggest problem is that there's basically no way to make it backwards compatible with almost anything that works with Node, because you'd need to design all the APIs from scratch. But one of the great things about Deno at the start was that they did try and build all of the APIs from scratch, and think about new ways of doing things.

[lenkite]

Are there languages and runtimes which have done stuff at this low-level before ? Sandboxing at the individual function level ?

[nesarkvechnep]

There's Capsicum on FreeBSD.

[mcdonje]

seL4 is an operating system that uses capabilities

[stephbook]

Use a .devcontainer and you're done in 10 seconds without any new runtime implementations.

[oblio]

I'm not sure how this solves lodash wanting network access.

[sysguest]

this

we nodejs devs were just ignorant/lazy

npmjs should mark libs "deno compatible" and move over to deno gradually for security

[VerifiedReports]

I started a new project with Deno specifically to avoid the NPM mess, and because it was created by Node's creator to fix its shortcomings. I'm new to Web development, but so far the experience has been pretty good.

Nice to see Deno being maintained. The features listed seem pretty substantial.

[tuananh]

> Bun focused on compatibility with Node and the ability to run popular frameworks like Nextjs from the beginning.

and yet Bun's npm compat is much much lower than deno

https://x.com/rough__sea/status/2057579066744881188

[vmg12]

I was talking about the history and not the current state of the projects if that was not obvious.

[nailer]

(thinking emoji) they could merge.

Seriously, they're both Rust now. They share goals.

[tomjakubowski]

I doubt it would work out. The engineering cultures could not be any different.

[sellmesoap]

I think different cultures can contribute to eachother, they don't have to hold hands. I'm sure open minded curious developers can look over the fence and appreciate the differences and adopt practical aspects of each other, maybe the time to stop and smell the roses is to poetic and altruistic. It's a JavaScript server/packager/framework drag race for pink slips!

[sysguest]

well bun could 'gradually become deno':

1. add 'enhanced security mode' that's actually 'deno-compatible/like' (permissions, etc)

2. mark libs/executables/etc as 'enhanced security compatible'

3. ...merge by buying out deno?

[andrewflnr]

> The engineering cultures could not be any different.

A Bun team willing and able to execute your plan is not one willing to merge a vibe-coded rewrite in a couple weeks.

[notnullorvoid]

They may share some goals, but also have differing and opposing goals.

But it's possible that all 3 Deno, Node, and Bun could share some code in the future considering they now all require Rust as part of their build process.

[dmit]

> Can someone explain why it sounds like there's such rapid growth of Bun?

In my case, when I start a little Typescript side project, instead of drowning in the sea of npm/yarn/berry/pnpm/bubble/vite/webpack/rollup/rolldown/rollout/swc/esbuild/teatime/etc I can just use one thing. And yes, only some of those are Pokémon moves and not actual tools from the JS/TS ecosystem.

[satvikpendem]

But...Deno also has an all in one CLI too. The question was why Bun specifically grew in popularity over Deno.

[sheept]

Deno's goal was to address Node's design weaknesses, while Bun came out with the promise of faster performance. Especially if you're coming from Node or migrating an existing project, it's easier to justify switching to Bun than to Deno.

Since then, all three runtimes have been gradually converging (adopting Web APIs, first class TypeScript support), so there's little reason to move away from Node's vast ecosystem to Deno; most npm packages weren't made with Deno's security model in mind.

Deno's biggest strength is when you want its security model and don't plan on using npm packages, e.g. if you want to let agents write and run quick scripts on your machine without awaiting your permission.

[coffeebeqn]

In my area it feels like it’s competing against go which is a language purposefully designed for the thing we’re building and has a great tool chain already. I never really wanted JavaScript. It’s not a very thoughtfully designed language and the not very good design was made for the browser. I just used node because it was simple to get it working. And you have bun and things like that competing for the space too

[moron4hire]

> It’s not a very thoughtfully designed language...

This meme has to die. It hasn't been true for longer than it was ever true. Yes, we all know Brendan Rich "designed JavaScript in a week" in 1995, but that initial design was A) actually quite elegant for its goals, and B) has really only been an historical curiosity since the ECMAScript standardization process started in 2005. There are people who were born, grew up, learned JS, and have solid careers working in it since that time.

The ECMAScript we have today, and the Typescript extensions of it, is one of the most robust, best performing, intentionally designed dynamic scripting languages on the market. It helps that every major tech corporation in the world has gobs of the stuff bearing loads somewhere in their organizations; they invest massively in making sure it's pretty good.

Before any pedant comes in to post the "Wat" talk, no, JavaScript is not a perfect language. While I personally prefer strictly typed JIT language to it, I still write a lot of it, might even be most of what I write. JavaScript today is as good of a design of a dynamic scripting language as you will find.

[arikrahman]

It's not thoughtfully designed. Just look at the effort Rich Hickey took with Clojure and then compare. It's not even in the same league.

[moron4hire]

(I know it's Brendan Eich, I just didn't notice the damn glass keyboard made its own decisions on what I meant.)

[dmit]

> no, JavaScript is not a perfect language

Such a brave stance against a claim literally nobody has ever staked.

[sysguest]

yeah it's such a pity deno's security features could have made recent npm attacks moot...

[sheept]

The recent npm supply chain attacks relied on lifecycle scripts, which Deno doesn't run by default, but neither do pnpm or Bun. While Deno, like npm, supports a minimum release age, it doesn't enable it by default.

[sysguest]

well deno has 'allow-read' 'allow-write' kind of permission, so if something tries to read from my ~/.ssh or other important folder, it can just block it

even with blocking lifecycle scripts, the attacker could have planted it somewhere else or just trick the dev somehow to run it

[cyanydeez]

the problem was at the start of deno, it didn't integrate with npm; the same way Macintosh used to be free of virus and trojan horses was because people just didn't use it enough.

[diegof79]

Mainly DX.

Deno has many of those things now, but my past experience wasn’t good. The first versions of Deno had a lot of friction; Bun however was more or less useful from day 1.

[steve_adams_86]

There are still some points of friction, but I'm content with it otherwise. The problems Deno resolves for me far outweigh the problems it introduces these days. I think the inflection point was roughly a year ago for me. Prior to that I really wanted to love it, but I ran into too many issues with the tooling I used most often. It was pretty frustrating. These days I rarely encounter anything at all, and I miss it a lot when I use other runtimes.

[STRiDEX]

Bun simplified the pain with the ecosystem switch to esm. deno, at the time, made it worse by doing stuff with url based packages that didn’t fully catch on

[jitl]

Deno originally was not Node compatible at all, and required you to do everything in a Deno way:

- Deno plugin in editor, otherwise types dont work

- All imports via absolute URL, like Golang

- No backwards compatibility, so no existing code worked.

Since Deno 2, they've taken Node compatibility much more seriously, hence the 50% to 70% compatibility jump claimed here.

Bun on the other hand, tried to make things Just Work without requiring any thinking for Nodejs / TypeScript developers. It's basically the `node` development experience with all incidental frictions removed (but some segfaults added).

tl;dr: you can use `bun` to write node projects, but `deno` can only be used for deno projects

[sysguest]

well benchmarks that's why

if the numbers look good, I pick it up -- though whether the numbers actually hold in reality is... well something I should check... but won't due to laziness...

I should check actual perf numbers... well next week or month?

[yroc92]

I use (and like) both. Bun is a drop-in replacement for node. If you don't want to fuss with test config, tsconfig, esmodules, etc., I find that it just works. Deno has a nice standard lib, great CLI support, and I used to love deno deploy but its gotten very clunky these days.

[3uler]

But if you look at the node compliance tests, deno has better compliance now days…

[CharlesW]

Insanely better, at 76% Node compliance in Deno 2.8.

Bun 1.3.14 is at just 40.6% with same compliance test.

https://node-test-viewer.deno.dev/

[garbagepatch]

I guess Bun had the better marketing then. I liked how every new feature came with a benchmark against the previous version and node. See this for example: https://xcancel.com/bunjavascript/status/2048228152397459590

I'd love to see a site comparing the 3 of them in a similar way.

[yoyohello13]

Same, I'm mostly a back end dev but when I dip my toes into frontend for personal projects Deno just seems like the most sane choice. It's really nice to work with. I'm kind of sad it doesn't seem to have taken off among the JS folks.

[shepherdjerred]

I used Deno for about a year. I liked it for the reasons you gave, but there were way too many compatibility issues with packages like Astro, Prisma, Vite.

So, I switched to Bun and things have been much smoother!

[ddosmax556]

I can tell you my experience as a js package dev, last tried a few weeks ago. We're building an npm package that's supposed to run on both node.js, deno & bun & the web.

This is an annoying to do for exactly two platforms: node.js, and deno.

node.js bcs it requires a workaround whenever something networking comes in: fetch doesn't work the same. So you structure you're code around having a node.js workaround. Same story for some other APIs. But you can test if itn works!

Deno is more annoying, you just can't test your package with deno before publishing. Before we released to npm, we installed a tar file and sent those around for testing. Works in node, in vite (node, for browser), works in bun, like a charm. Doesn't work with deno unless you switch to package.json, and you use exactly the subset of the spec that deno supports. You can't "deno install xyz.tar", you have to use npm for that (inserts a single line into package.json), THEN you can use deno to execute. No docs, no hint, just trial & error.

Even more annoyingly, npm & bun both offer 'link': in package repo, call npm/bun link, in the test repo do npm/bun link @yourpackage, and that's it, it's installed. Creates a dyn link to the source's build dir so you can rebuild without packing or sending tars or anything like that, you just build in your package dir and the test project is immediately updated.

Deno doesn't have that. What's worse, they don't tell you they don't have that. Also basically no error messages. It just fails in weird ways. Spent hours trying to do it. Now I just publish without testing for deno and wait for bug reports.

So out of the three: bun just works. That's it. Better than any platform. It just works, and it has a nicer CLI & nicer error messages, and it's faster on startup. It has the web api and the node api (i think) and its own api that's very nice as well, nicer than e.g. node. And e.g. if you run bun link, it tells you exactly what happened: this is what just happened, this is what you have to do to use it elsewhere. Node doesn't have that!

I think deno recognized bun's strategy of using npm dev's backbone as being the better call - that's why they're now slowly introducing node.js features, even though that goes against their original USP.

[bartlomieju]

Thanks for feedback, I opened a PR to implement linking functionality that seems more familiar to npm's strategy: https://github.com/denoland/deno/pull/34359

[chamomeal]

I’m also perplexed that deno isn’t more quickly becoming the defacto server side JS/TS runtime. It really feels like the grown-up version of node.

Node always felt immature compared to stuff like go or java. I still preferred it to go and java. But deno is like node without all the shitty parts. It’s just so simple and productive and has so much good stuff built in. Even building projects with npm packages is easier with deno than with node now.

Bun feels like a faster horse, I guess. I really can’t imagine going back to node/bun on purpose, if I have a choice

[wiseowise]

> Node always felt immature compared to stuff like go or java.

Not enough boilerplate and EnterpriseBeanFactorySingleton?

[chamomeal]

Lmao well I still prefer node to java for many reasons. But if anybody is looking for EnterpriseBeanFactorySingleton in node world, nestjs scratches that itch of a 5:1 boilerplate-to-biz-logic ratio

[vorticalbox]

I think the main issue was when deno first came out it used urls for imports then later added support for npm.

By then bun was already a thing and just ate into its share.

[VerifiedReports]

Why do you consider URLs a problem?

[AgentME]

One issue was that all dependencies had to be pinned to exact versions. If some sub-dependency of yours got a bugfix in a minor or patch update, your project only gets that update once the dependency updates to bump its dependencies and then you update that dependency. (Pinning exact versions of everything has its place but that place generally should be in your own project's lockfile.)

Also, if multiple dependencies of yours share a sub-dependency, then unless they pick the exact same patch version then you're almost always going to have multiple versions of common sub-dependencies loaded. (It's great that multiple versions of a dependency can be loaded at once because it lets you avoid the classic "dependency hell" issue, but having multiple versions of nearly all of your common sub-dependencies gets wasteful at some point. Generally there's rarely a good reason to have multiple versions of the same dependency that only differ in patch or minor version.)

(Deno's current support for NPM and JSR avoids these issues.)

[WorldMaker]

Deno always supported importmaps so dependency management was importmap management. If a script had its own dependencies it could depend directly on a URL or better yet it could use an importmap name and expect you to add it to your own importmap. Admittedly that was moving some of the work of a package manager to manual steps, though, so JSR is still an improvement over managing an importmap yourself for your entire dependency tree.

Also, URLs didn't have to mean "exact version". A script provider might use a URL scheme with exact versions in it such as `/packagex/2.18.3/main.js` or could do semver-floating symlinks like `/packagex/2.18/main.js` for latest patch and `/packagex/2/main.js` for latest minor. You could even have hosts that just used the classic top-level `/packagex.js` for whatever is the latest.

I think the real problem with URL dependencies wasn't so much "exact versions", it was the confusing flexibility that versioning schemes were dependent on the package host because URLs are orthogonal/agnostic to version numbering and different package hosts can do whatever they wanted. (Naming conventions you'd have to look up for each/every host versus semver-aware package management code.)

[VerifiedReports]

Thanks. I use JSR and always pull in the latest, figuring that I'll lock it down when development is done.

[AgentME]

Your deno.json/package.json should generally pin things to their major version (eg. "^3.1.4"). Your application's lockfile (deno.lock/package-lock.json) which is generated by default pins your dependencies and your sub-dependencies to exact versions.

[vorticalbox]

I don’t consider them a problem at all. It’s how browsers have worked for a long time.

My point was at the time when deno came out it was completely different to node with its imports and that meant a lot of existing packages just didn’t work out of the box. That just slowed its traction.

Personally I would have like deno it stick with url imports and not added the npm support.

Ryan set out to “fix” his mistakes with node only to fully embrace them again.

[satvikpendem]

Annoying to update instead of a package.json, which they now have an equivalent of, realizing their mistake.

[culi]

Bun had some early (imo, extremely deceptive) benchmarks that showed it had really good performance compared to Node and Deno. Zig was also a fledgling hotlang and Bun managed to translate the Zig community into more energy behind Bun. In addition to that, the creator of Bun became a minor celebrity for spending probably over 12 hours almost every single day working on it.

Everything just came together at the right time really quickly and they managed to capitalize on it.

Also at the time Deno had only just started to backtrack on npm-compatibility and it was still in its infancy (I'd say its fully mature today). Bun was ahead of that curve which made it immediately useful.

[WorldMaker]

I imagine some of Bun's growth is just simply V8 fatigue. JavaScriptCore does have some different runtime characteristics and it is nice to a diversity in language engines.

(It seems too bad ChakraCore is mostly out to pasture and not keeping up with TC-39 and that there's still no good Node-compatible wrapper for SpiderMonkey, but having one for JavaScriptCore is still a breath of fresh air.)

[vmg12]

I'm very confident that users of these runtimes do not care about the underlying Js engine powering them. Bun succeeded because it was compatible with node and required much less configuration to get a standard typescript and react app running.

[WorldMaker]

I'm not suggesting it is a conscious decision point. Node has since done a lot to catch up on "less configuration" but Bun still seems to be growing even as what Bun does well Node starts to emulate. Runtime performance is mentioned in this thread here and elsewhere and while some are attributing that to Zig I think some are overlooking the different runtime experience of JavaScriptCore. It's also the "only" runtime difference between Deno and Bun if you assume that Rust and Zig are similarly performant native layers for some saying they like Bun's runtime performance better than Deno's.

[npn]

because for most people they don't need what deno promises.

me for example only use nodejs or bun to run a basic sveltekit server, so it can render the html for the first time. all core functionalities are delegated to backend services written in crystal or rust. I don't need some bloated js runtime that hoard 500MB of ram for that purpose (crystal services only take 20+ MB each).

bun promised a lean runtime, every essential functionality is written in zig to increase the speed and memory footprint. and javascriptcore also uses less memory compare to v8. the only thing we expect is for bun to stabilize and can run 24/7 without memory leaking or crashing.

too bad it is a failed promise now.

[robflynn]

I hadn't heard of crystal somehow, I work with ruby a lot so that might be fun to play around with.

[cptmurphy]

Deno permission system is so basic. What you need is capability system

[AgentME]

Javascript/Typescript as it is now isn't a great language for a real capability system because any code can monkey-patch global objects and use that to steal capability objects from elsewhere. JS code of different privilege levels needs to be run in separate realms at the very least. (Though there are proposals for things like frozen realms that try to make JS more suitable for capability systems.)

[vrighter]

one more reason I would have preferred a world in which lua was used in js's place

[AgentME]

Isn't Lua equally monkey-patchable? Both of the languages, along with Python and Ruby, represent nearly everything as mutable objects.

[vrighter]

but you can relatively easily sandbox anything you want and close all escape hatches. If you want to turn off the monkeypatching functionality, that's just a metatable or two away. I can and regularly disable monkeypatching on some of my libraries (especially where it interacts with c++ interop). JS now has proxy objects, but lua has been able to do this since way before

And also those stackful coroutines, would have made callback hell non-existent, and no async/await function coloring either (as long as you started one coroutine somewhere up the call stack.

[pier25]

Bun doesn't require special tooling since it uses standard TS and follows the Node conventions. With Deno you need special tooling for eg the weird import system and package manager.

Bun also includes stuff that you'd need a third party dependency with Deno or Node. Eg: database drivers, S3 client, etc.

Finally, Bun overall has better performance and efficiency compared to Deno.

That said, I'm going back to Node after the recent Bun fiascos with their Rust AI re-write.

[nsonha]

"basic permission model" used to be the only thing Deno had going for, and the keyword is "basic". They pivot pretty late to become a drop-in replacement for nodejs (using the term drop-in loosely here).

Bun has a pragmatic approach from the beginning for being a all-in-one toolset (not just a runtime) and node's replacement. They also has gradual adoption paths such as using bun only as package manager and/or test runner.

[giancarlostoro]

Deno is from scratch attempting to pass as many NodeJS tests as possible. Bun piggybacks off the WebkitJS library iirc and shims anything nodejs specific it needs.

[paulddraper]

Bun prioritized Node.js compatibility.

Deno since adjusted, but Bun gained a lot of market share in the meantime.

[wiseowise]

> Can someone explain why it sounds like there's such rapid growth of Bun? Is it just being used as a bundler, but not as JS runtime?

Bundler + used by Claude Code, that’s pretty much it.

[spixy]

Because I don't care about that permission system. Server will run in some container or k8s anyway.

And node / bun development is much easier because of many many npm packages.

[interstice]

Although the attacks on the NPM ecosystem are making that sound more like a liability by the day.

[wk_end]

When Deno first came out it was deliberately incompatible with Node, which limited its ecosystem and audience. Bun came along with a lot of Deno's great features but also Node compatibility, and people really took to that.

But Deno's got Node compatibility now, and Node has adopted a lot of the features that make Deno and Bun so usable. So I'm not sure the choice matters so much these days.